Comment by lxgr
12 years ago
Android versions 4.1 and higher seem to be vulnerable (check the openssl.version file for every version in https://android.googlesource.com/platform/external/openssl.g... and compare with the vulnerable versions listed on http://heartbleed.com/).
I looked at the 4.4 (Kitkat) source code and it seems to me that the HEARTBEAT is disabled. https://android.googlesource.com/platform/external/openssl.g... contains -DOPENSSL_NO_HEARTBEATS
I am also unclear whether Dalvik or ART use OpenSSL for TLS connections.
It seems that Android is in fact not vulnerable: https://twitter.com/agl__/status/453472368589942785